96064/SP6429 - 2

Applying Risk Management

Risk Management and Quality

Assurance
Practical Steps in Assessing, Quantifying
and Managing GMP Compliance Risks

96064/SP6429-2 V4.1

© SeerPharma Pty Ltd

This presentation is copyright to SeerPharma Pty Ltd and may not be modified, reproduced, sold,
loaned, hired or traded in any form without the express written permission of SeerPharma Pty Ltd,
SeerPharma (Singapore) Pte Ltd or its subsidiaries.

Module Contents

• This module introduces an approach for the implementation of risk

management to GxP compliance programs. The module explains
the concepts within ICH Q9 – Quality Risk Management Guidance
and provides guidelines on how to audit compliance using risk
principles.

• The module provides guidance on how risk management practices

are used to support compliance programs and uses an industry
case study as an example.

SP6429-2/96064-2 Ver 4.0 1

 96064/SP6429 - 2
Applying Risk Management

Module Objectives
On completion of this module you should be able to:

• State the key contents of ICH Q9 and explain their meaning

• List the quality management system elements that utilize risk

analysis

• Audit cGMP compliance using a risk approach

• Classify cGMP non-conformances according to risk priority

Some Useful Documents

• AS 4360:2004 - Risk Management Standard

• HB 436:2004 - Risk Management Guidelines

• FDA Pharmaceutical CGMPS for the 21st Century - A risk based

approach (9/2004)
– Risk based model for inspection oversight
– Quality systems approach driven by risk management

• ICH Q9 - Risk Management in Pharmaceuticals

• ISPE White Paper - Risk Based Approach to Qualification

– ASTM E55.03 (Draft) (WK9864) Standard Guide for a Science and Risk
Based Approach to Qualification

• HFPB Canada: Guide-0023 Risk Classification for GMPs

• EU/ PICs/TGA cGMP - Annex 15 Validation

4

SP6429-2/96064-2 Ver 4.0 2

 96064/SP6429 - 2
Applying Risk Management

PIC/S GMPs – 2009 and Risk

(the part that’s auditable)
• The basic concepts of Quality Assurance, Good Manufacturing
Practice, Quality Control and Quality Risk Management are inter-
related. (Ch 1 Principles)

• Quality Risk Management can be applied both proactively and

retrospectively. (Clause1.5)

• A risk assessment approach should be used to determine the scope

and extent of validation. (Annex 15 Principles)

• The likely impact of the change of facilities, systems and equipment

on the product should be evaluated, including risk analysis. (Annex
15 Change Control)

PICS GMPs – 2009 and Risk

(the part that’s auditable)
• The quality risk management system should ensure that:

– the evaluation of the risk to quality is based on scientific

knowledge, experience with the process and ultimately links to
the protection of the patient;

– the level of effort, formality and documentation of the quality risk

management process is commensurate with the level of risk.

Clause 1.6

SP6429-2/96064-2 Ver 4.0 3

 96064/SP6429 - 2
Applying Risk Management

Compliance Risk Management

Some Industry Trends

• Manufacturers are now expected to know their risks and

demonstrate how they are being managed

• More formalised risk management programs being put in place

• Slow shift from “compliance” focus to ensuring patient and user

safety in GMPs … Regulators play a role here

• Potential for abuse by industry - risk manage and rationalise

away real problems

Seeking Guidance from CGMPs

• The Codes of GMP defines outcomes rather

than processes.
c
• Outcomes: What to do ? Codified in cGMPs

• Processes: How to do it ? Left up to the

manufacturers but must be in “compliance”
with the cGMPs

Consequently, there is a risk that auditors

c
(internal and regulatory) will identify
deficiencies inconsistently, unless clear
guidance and adequate definitions are
provided.

SP6429-2/96064-2 Ver 4.0 4

 96064/SP6429 - 2
Applying Risk Management

Recent European Changes

MHRA Risk Reporting Initiative
• MHRA launched 1st April 09 company reporting on compliance
risk

• Participating sites are those UK sites that hold a Manufacturing

Authorization and 3rd Country sites that are named on a UK
Marketing Authorisation

• Sites will be required to complete a Compliance Report in

advance of inspection – must identify risks

• The inspector will identify a risk rating for the site, this will in turn
equate to a future inspection frequency

• Risk ratings identify the degree of surveillance required within

the licensing and inspection program
9

MHRA GMP Risk Reporting Guidance

• The purpose of the compliance report is to report to the appropriate

MHRA inspector the changes on site in the following categories
– Shift in performance
– Key Personnel or staff numbers
– Company ownership/ structure or status
– Processes/ Products
– Facilities/Equipment
– Other
• Change is regarded as either an indicator of an increase or
decrease in risk or as a risk itself. As such the inspector will consider
the changes in reaching a conclusion as to the current risk rating of
the site.

10

SP6429-2/96064-2 Ver 4.0 5

 96064/SP6429 - 2
Applying Risk Management

MHRA GMP Compliance Report

Examples
Please provide information on site changes that the MHRA should be aware of in
conducting a GMP compliance risk assessment of the site.
• An increase has been seen in non conformances across the site from
54 per year to 79 per year against a steady product /batch volume.
• Two non conformances have been raised for issues that we regard as
critical. One related to a cross contamination of a batch due to addition
of an amount of an incorrect API. The other was due to identification of
rogue tablets of product Z in a blister run of product Y.
• Two packaging line supervisors retired and replaced by internally
promoted Operators.
• Product A no longer manufactured on site. Product B has been
transferred from Site Z.
• No changes in facilities or equipment.
11

ICH Q 9 Quality Risk

Management (QRM)

• In relation to pharmaceuticals, ……. the protection of the

patient by managing the risk to quality should be considered of
prime importance.

• It is neither always appropriate nor necessary to use a formal

risk management process.

• Using informal processes is also acceptable.

• QRM does not negate industry’s obligation to comply with

regulatory requirements

12

SP6429-2/96064-2 Ver 4.0 6

 96064/SP6429 - 2
Applying Risk Management

ICH Q 9 Quality Risk

Management (QRM)
• QRM activities are usually undertaken by inter - disciplinary
teams.
• When teams are formed, they should include experts from the
appropriate areas
– (e.g., quality unit, engineering, regulatory affairs, production
operations ….) plus people trained in QRM
• Risk communication is the sharing of information about risk and
risk management between the decision makers and others.
Examples include:
– Product literature and labelling
– Adverse event notifications
– Recall decisions
– Non-compliance analysis
– Annual product reviews
13

ICH Q 9 Risk
Assessment
• Risk assessment consists of the identification of hazards and
the analysis and evaluation of risks associated with exposure to
those hazards

• As an aid to clearly defining the risk(s) for risk assessment

purposes, three fundamental questions are often helpful:
1. What might go wrong?
2. What is the likelihood (probability) it will go wrong?
3. What are the consequences (severity) if it did go wrong?

14

SP6429-2/96064-2 Ver 4.0 7

 96064/SP6429 - 2
Applying Risk Management

ICH Q9 QRM – Application in GxP Compliance

• Compliance (QA) Management

– Auditing
– CAPA
– Product Complaints and ADEs
– Deviation Investigation and Control
– Change Control

• Vendor and Sub-Contractor Management

• Validation programs

• Annual Product Reviews

• Predictive Risk Strategies / Programs – Prevention

15

ICH Q9 Risk Reviews

• Risk management should be an ongoing part of the quality

management process.
• A mechanism to review or monitor events should be
implemented.
• Review points could include:
– results of product review
– inspections, audits,
– change control
– root cause from failure investigations,
– recall and complaints.

• The frequency of any review should be based upon the level of

risk.

16

SP6429-2/96064-2 Ver 4.0 8

 96064/SP6429 - 2
Applying Risk Management

ICH Q9 QRM Methodology/Tools

• Basic risk management facilitation methods (flowcharts, check

sheets, etc.)
• Failure Mode Effects Analysis (FMEA)
• Failure Mode, Effects, and Criticality Analysis (FMECA)
• Fault Tree Analysis (FTA)
• Hazard Analysis and Critical Control Points (HACCP)
• Hazard Operability Analysis (HAZOP)
• Preliminary Hazard Analysis (PHA)
• Risk ranking and filtering
• Supporting statistical tools
• The formality of quality risk management should reflect the
complexity and/or criticality of the issue to be addressed.
17

ICH Q9 QRM
Applications
• Documentation To determine the desirability of and/or develop
the content for SOPs, guidances, etc.

• Training and education To determine the appropriateness of

initial and/or ongoing training.

• Quality defects To provide the basis for identifying, evaluating,

and communicating the potential quality impact

• Periodic review To select, evaluate, and interpret trend results

of data within the product quality review

• Change control - impact assessment

18

SP6429-2/96064-2 Ver 4.0 9

 96064/SP6429 - 2
Applying Risk Management

What is an acceptable risk to quality ?

• Different stakeholders have different views

• Notion of "risk" may be not the same for industry and
competent authority / regulatory agency
• Regulators have product safety and policy to deal with
• Company key stakeholders tolerance to risk is different
– Marketing
– Production / Operations
– Quality Assurance
– Executive
• One common denominator is “protection of the patient”

19

Assessing risk in drug product

manufacture

Practical Steps in Assessing, Quantifying and

Managing GMP Compliance Risks

© SeerPharma Pty Ltd

This presentation is copyright to SeerPharma Pty Ltd and may not be modified, reproduced, sold,
loaned, hired or traded in any form without the express written permission of SeerPharma Pty Ltd,
SeerPharma (Singapore) Pte Ltd or its subsidiaries.

SP6429-2/96064-2 Ver 4.0 10

 96064/SP6429 - 2
Applying Risk Management

Consequences - Hazard/Harm
Analysis
• There are four (4) components for analysing hazards or
consequences/severity.

– Hazard statement - describes the potential hazard

– Foreseeable Sequence of Events (in both normal and fault

failure modes) that could cause the hazard to occur

– Harm/Severity - statement of harm to the patient or user as a

result of the hazard

– Rating of the harm or severity

21

Parameters for Assigning Risks

- Risk Priority Number (RPN)

Probable Frequency

Severity / X Probability X Detectability

Consequences
Refers to
Refers to

Refers to

= RPN
Potential hazard or risk Past History or Integrity of Verification
of harm to the Patient Knowledge and QC Methods
or User

22

SP6429-2/96064-2 Ver 4.0 11

 96064/SP6429 - 2
Applying Risk Management

Preliminary Hazard Analysis and top down

FMEA example
• PHA is an analysis tool based on applying prior experience or
knowledge of a hazard or failure to identify potential hazards,
hazardous situations and events that might cause harm, as well
as to estimate their probability of occurrence for a given activity,
facility, product, or system.

The tool consists of:

1. the identification of the possibilities that the risk event happens,
2. the qualitative evaluation of the extent of possible injury or damage
to health that could result,
3. a relative ranking of the hazard using a combination of severity
and likelihood of occurrence, and
4. the identification of possible remedial measures

• Tool is easier to use than full FMEA

23

Severity Rating

Rating Effect Criteria

2-1 Minor Patient not concerned. No patient injury. No noticeable effect on product
Inconvenience performance. Very low impact on cGMP compliance.

4 Minor Customer experiences some minor nuisance and becomes slightly

Dissatisfaction annoyed. Complaint probable but no patient injury.. Minor/cosmetic effect on
product performance. Some impact on GMP compliance.
6 Major Major user dissatisfaction, product non-performance evident but safe, no resulting
Dissatisfaction injury to patient.
Major non - compliance with GMPs. Possible excursions from marketing
authorization.
8 Moderate A failure that can cause a moderate harm or adverse reaction to a patient or user but
Health Hazard will not result in chronic harm. The harm will require treatment. Product performance
is either partially or completely degraded. Product complaint expected.
Major non - compliance with GMPs. Probable excursions from marketing
authorization. Possible recall.

10 Catastrophic A failure that can by itself cause (directly) death or a significant harm to a patient or
Health Hazard user. Critical non - compliance with GMPs. Loss or restriction of GMP License
probable. Multiple excursions from marketing authorization. Probable recall.

24

SP6429-2/96064-2 Ver 4.0 12

 96064/SP6429 - 2
Applying Risk Management

Example Consequences/Severity Statement

The company manufactures microdose, narrow therapeutic

prescription tablets. The mixing process is not validated
Hz # Hazard Statement Potential or Foreseeable Harm: Score
Failure Modes:
1 The patient The mixing process is not (a) the patient receives 8
receives a dose validated for the new blender. excess dose - leads to
that is outside the The bulk product is not mixed patient acute discomfort
therapeutic window to acceptable homogeneity and a complaint
(less than 3% rsd)
(b) the patient receives
insufficient dose - could
lead to inadequate
treatment and complaint 6
/ adverse event but no
chronic harm

25

Probability of Occurrence Scales

Rating Likelihood Probability of Failure Possible Failure Rate

Of Occurrence (Qualitative Criteria) (Quantitative Criteria)
2 -1 Remote Rare numbers of failures are likely Once every 3 –6 years
to occur. ≤ 3 per 10 million

4 Slight Few failures are likely Once per year

to occur. ≤ 6 per 100,000

6 Medium A medium number of Once every 3 months

failures are likely to ≤ 0.03%
occur.

8 High A high number of Once per week

failures are likely to occur. ≤ 5%

10 Almost Failures almost More than once per day

Certain certainly will occur. > 30%

26

SP6429-2/96064-2 Ver 4.0 13

 96064/SP6429 - 2
Applying Risk Management

Detection Rating Scales

Rank Detection Criteria

2 -1 Very High The listed Controls have an excellent chance of detecting the Cause of Failure and/or
the subsequent Failure Mode. All units are automatically inspected. Tests are
validated.

4 Reasonable The listed Controls have a reasonable chance of detecting the Cause of Failure and/or
the subsequent Failure Mode. SPC used with an immediate reaction to out of control
conditions. Tests are validated

6 Uncertain It is uncertain that the listed controls will detect the Cause of Failure
and/or subsequent Failure Mode. Manual/automated inspection with mistake-proofing.
Units are systematically sampled and inspected using AQL sampling. Tests are
validated.

8 Very The listed Controls will very likely not detect the Cause of Failure and/or the
Unlikely subsequent Failure Mode. Units are irregularly sampled and inspected using AQL
sampling. Control tests are not validated.

10 None Action will / can not detect the Cause of Failure and/or the subsequent Failure Mode,
or there is no action possible. Defect caused by failure is not detectable

27

Likelihood (Frequency) Statement

Hz Probability of Occurrence Score Detectability Score Frequency

# Score
1 These records were examined
 In- process testing records for
last 12 months (23 batches)
 Non-conforming (failed)
batches history - last 2 years
 Complaints history
 Maintenance history of the
blending equipment
 Adverse events profile
 Internal audit reports for the
process line
 Tested multiple samples from
the current manufactured Lot
 The risk team concluded that
the process potentially
would have a Cpk of less
than 0.8 and that it was
possible 1 in 10 batches
would produce defects
8 The risk team identified, 9 The Frequency
via examination of batch was calculated as:
records and process [Pr(occur) (8) X
Detect. (9)] 0.5
instructions:
= rounded up 9
There was no in-process
testing for bulk blend
uniformity
The QC laboratory tested
20 tablets for content
uniformity from an
average batch size of
200,000 tablets
Occasional units are
checked for defects

28

SP6429-2/96064-2 Ver 4.0 14

 96064/SP6429 - 2
Applying Risk Management

Classification Table for Risk Priority Number

Example:

29

Workshop - Product Complaint

(groups of 3 - 5)
• The QA department receives a complaint from an irate customer
that they cut their mouth on the glass lip of a multidose bottle
when taking the medication. The returned bottle showed a glass
chip from the rim of the opening.
• A quick check of the Lot and product history showed the
following:
– The use instructions state to pour the contents into a measure then
administer.
– The Lot had been on the market 5 months without incident. The
shelf life was 24 months - the Lot size was 15,000 units and
approximately 50% of the Lot had been consumed.
– There were very few similar complaints for this container closure
system- approx. 3 over the last 2 years.
– A check of a sample of 750 containers in the warehouse showed
no defects

30

SP6429-2/96064-2 Ver 4.0 15

 96064/SP6429 - 2
Applying Risk Management

Workshop - Product Complaint

(groups of 3 - 5)
• Part #1
Individually write down what you would do, then, as a group, discuss
what you would do next if you were the QA executive. Try and reach
a consensus.

• Part #2
Next try using a risk based approach to evaluating the problem - that
is consider (a) Severity/consequences (b) Probability of
(re)occurrence and (c) Detectability

31

Regulatory Agency Re-audit Program

based on Compliance and Product Risk
Compliance Good Satisfactory Poor Unacceptable

Product Risk**
High 24 18 12 Review Panel
Months Determines
(<3)
Medium 30 20 12 Review Panel
Determines
(<6)
Low 36 24 12 Review Panel
Determines
(<12)
**High - eg sterile products Medium - eg OTC products Low - eg sunscreen products
Audit frequency may be altered further if a company has recalls, complaints, testing failures, etc.

33

SP6429-2/96064-2 Ver 4.0 16

 96064/SP6429 - 2
Applying Risk Management

Compliance Auditing - The Challenge

Link - cGMP Compliance and Patient Risks

cGMP Compliance Patient Risk

cGMP Inspection
Identify Risk 

RISK  RISK 

34

Compliance and Product/Patient Risk

• How well are these aligned ?

• Does “non compliance” = product/patient risk ?
• How do regulators view this relationship ?

Manufacturers dilemma:
• Must meet GMP compliance but industry is expected to apply risk
assessment to problems
• Potential for mis-alignment of views
Example: A manufacturer may view replacement of a like - for - like vacuum
pump on an autoclave as not requiring re- validation but the regulator
may have a different experience or review of risk and require re-
validation.
35

SP6429-2/96064-2 Ver 4.0 17

 96064/SP6429 - 2
Applying Risk Management

ICH Q9 QRM Audit Applications

• Define the frequency and scope of audits, both internal and

external, taking into account factors such as:
− Existing legal requirements
− Overall compliance status and history of the company or facility
− Robustness of a company’s quality risk management activities
− Complexity of the site
− Complexity of the manufacturing process
− Complexity of the product and its therapeutic significance
− Number and significance of quality defects (e.g., recall)
− Results of previous audits/inspections
− Major changes of building, equipment, processes, key personnel

36

Risk Based Auditing Approach

5 Steps
• Plan Audit based on risk priority - identify potential compliance risks
in the plan
• Conduct the Audit using the plan
• Classify observations using risk assessment
– based on severity/consequence
– based on likelihood or frequency of occurrence

• Elevate higher risks to CAPA status

• Put in place verifiable corrective action plans for higher risk areas.

37

SP6429-2/96064-2 Ver 4.0 18

 96064/SP6429 - 2
Applying Risk Management

Audit Risk Assessment Classification

38

Canadian CGMPs - Auditing Guidance

Health Products and Food Branch Inspectorate Guide-0023 Risk Classification of
GMP Observations
Hazard Types
• Critical observation:
– Observation likely to result in a non-compliant product or
– a situation that may result in an immediate or latent health
risk and any observation that involves fraud,
misrepresentation or falsification of products or data.
• Major observation:
– Observation that may result in the production of a drug
not consistently meeting its marketing authorization.
• Other observation:
– Observation that is neither critical nor major but is a
departure from the GMP

39

SP6429-2/96064-2 Ver 4.0 19

 96064/SP6429 - 2
Applying Risk Management

Canadian CGMPs - Auditing Guidance

Health Products and Food Branch Inspectorate Guide-0023 Risk Classification of
GMP Observations

Hazard - Products impacting “Severity or Harm”

• Critical risk product: A critical product is one for which any of the
following criteria may apply:
 narrow therapeutic window
 high toxicity
 sterile product
 biological drug
 complex manufacturing process:
• High risk product: Any product that may trigger a health risk even
at low levels, following cross-contamination. Those include but are
not limited to penicillins, certain cytotoxic and biological products.
• Low risk product: Products such natural health products including
vitamins and minerals preparations that are not a schedule drug or a
sterile drug, and certain topical non prescription veterinary
formulations registered as “old drugs”.
40

Compliance and Product/Patient Risk

(Some examples)

• No HEPA filter in vacuum cleaner

• Geobacillus stereo. in purified water system

• Lack of historical Equipment IQ / OQ evidence

• Viscosity does not meet monograph specifications

• No Cleaning Validation for Listed / Complementary Products

41

SP6429-2/96064-2 Ver 4.0 20

 96064/SP6429 - 2
Applying Risk Management

Workshop # 1 - Quality Alert

Investigation using Risk Assessment

Your task is to review the information provided

and develop an investigation plan using risk
analysis as the means to prioritise tasks. Your
team should consider a number of factors
including risk to the patient / user, potential liability
and risk to the GMP license.

In summary you should be able to nominate in

order of risk exposure 6 – 8 issues that the
company needs to consider to resolve the
situation. You may use quantitative or qualitative
methods.

The workshop will take approximately 75 minutes

to complete. Be prepared to present your
findings.

42

Using Risk Management in

Assessing Manufacturing
Deviations

© SeerPharma Pty Ltd

This presentation is copyright to SeerPharma Pty Ltd and may not be modified, reproduced, sold,
loaned, hired or traded in any form without the express written permission of SeerPharma Pty Ltd,
SeerPharma (Singapore) Pte Ltd or its subsidiaries.

SP6429-2/96064-2 Ver 4.0 21

 96064/SP6429 - 2
Applying Risk Management

Some Useful Definitions

Deviation
A deviation from agreed or documented quality systems, procedures
or instructions or failure to meet an in-process control limit.

Planned Deviation (Temporary Change)

A deviation or change to test methods, laboratory or manufacturing
procedures that has been planned and approved as part of
temporary change.

Unplanned Deviation
A deviation or change to test methods, laboratory or manufacturing
procedures that was unplanned and was the result of an incident or
error.

48

Some Useful Definitions

In- Processing Limits or levels

Means a statement or range which defines “un-official tests” primarily
used for in-process control or process adjustments. Failure to meet a
limit does not by itself necessarily lead to a non-conformance, but does
result in a Deviation. Limits may be tiered eg. “Target, Warning and
Action” levels.

Non-Conformance
Means the non-fulfilment of a specified “material/product” requirement -
(usually to a specification) A non-conformance usually leads to rejection
or reworking of the item.

49

SP6429-2/96064-2 Ver 4.0 22

 96064/SP6429 - 2
Applying Risk Management

Manufacturing Deviation Control

(3 situations)
A. Planned Deviations (Temporary Changes) - batch(es) specific
• QA approval of the planned change
• Justification, additional testing, stability etc
• Authorisation for change - in line with registration

B. Unplanned Deviations - batch specific

• Batch recording of deviation - use a form
• QA review of implications - release, more tests etc.
• Corrective action to prevent recurrence

C. Incident - non batch specific event

• Batch recording of deviation - use a form
• QA review of implications for process line security etc.

50

Example
Risk Based Deviation Flow Chart
Deviation Initiated
1st risk Responsibility List
review
Production Supervisor

Production Manager

Site QA Review
 Verify risk rate 2nd
 Check correction risk
 Assess CAPA review

Site QA Manager
Site QA Review
CAPA Assess Release for
Needed Supply &
? Compliance

Yes

Activate Authorised Person

CAPA

51

SP6429-2/96064-2 Ver 4.0 23

 96064/SP6429 - 2
Applying Risk Management

Risk Rating Deviations - Consequences

52

Risk Rating Deviations - Likelihood

53

SP6429-2/96064-2 Ver 4.0 24

 96064/SP6429 - 2
Applying Risk Management

Deviation Report - Risk Assessment

Section 5 - Risk Assessment (Completed by Site Quality Assurance and Area Management)
Severity Overall Risk Category.

Probability (if Risk 7, 8, 9 then refer to Corporate QA for Assessment)

Comments:

Prepared By: Signature: Date:

Section 6 - CAPA Assessment

CAPA Action required? Yes Refer to CAPA # No
Site QA Approval By: Signature: Date:

Section 7 – Corporate QA Assessment (if required)

Corporate QA Review Risk Agree with Rating Disagree – Revised Rating No._____
Corporate QA Approval By: Signature: Date:

Section 8 – Contract Customer Approval (if required)

CONTRACT PRODUCT: YES CONTRACT COMPANY:
Approved: Contract Quality A ssurance
Date:

54

Example of a Deviation or Incident

(Workshop #2 - group exercise)
• The company makes sterile glass ampouled
products
• In dispatch the forklift driver accidentally
drops a pallet and smashes some ampoules
from 2 lots of the same product.
• The incident is reported and the Warehouse
and Production Manager(s) decide to wash
off the remaining ampoules in factory water,
strip off the labels, re-label in packaging and
have the Lots retested for identity before
release.
• What are some of the issues surrounding this
incident. What could go wrong ? What could
be the risks ?
55

SP6429-2/96064-2 Ver 4.0 25

 96064/SP6429 - 2
Applying Risk Management

Compliance and Improvement

Utilising Risk in CAPA Systems

Document

Audit Train

56

What Makes a Good CAPA System?

• Multiple sub-system in-feeds

• Filtering of events and trends

• Risk based qualification to CAPA

• Symptoms collated and classified

• CAPAs are “vital few” not “symptomatic

many”

• CAPA assigned to responsible persons

• Root Cause Analysis central to investigation

• Commitment tracking and escalation

57

SP6429-2/96064-2 Ver 4.0 26

 96064/SP6429 - 2
Applying Risk Management

CAPA Management Flowchart

Service Reports Manufacturing Quality System

Complaints + Non-conformities + Non-conformities

Minor and Minor and

Register Incidental Risk Incidental Containment
Monitor Assessment Action(s)
Significant

Assign to CAPA Enter CAPA

Team Leader System

RCA/Failure Commitment
Investigation Track

Document
CAPA Plan

Implement Verify
Close CAPA
CAPA Plan Implementation
58

Qualifying CAPAs
Some Useful Questions to Ask ?
Question ? Answer Yes Answer No
Can the problem be handled locally at Probably not a Probably a CAPA
department level CAPA

Is the problem really a symptom Add to existing If significant risk raise

information - no a CAPA
CAPA unless
significant risk
Is there a high compliance risk Raise a CAPA Raise CAPA only if
occurs frequently

Is there a high product/ patient risk Raise a CAPA Raise CAPA only if
occurs frequently

Is the problem likely to re-occur Raise CAPA only if Raise CAPA only if
not tolerable high risk

59

SP6429-2/96064-2 Ver 4.0 27

 96064/SP6429 - 2
Applying Risk Management

Complaints and ADEs

Risk Analysis
Conduct risk analysis twice:

• 1st time to prioritise the investigation

– Fast track potential high risk situation
• Critical = 24 hours and alert senior management
• Major = 5 - 10 days and monitor progress
• Routine = 20 - 30 days

• 2nd time to determine escalation or response

– Critical risk - notify regulatory agency
– Transfer to a CAPA response

60

Validation and Risk in the 21st Century

• A risk assessment approach should be used to determine the

scope and extent of validation.
PIC/S Code of GMP- Annex 15 Clause 1

• Both FDA and Industry recognise that IQ/OQ/PQ has become

an expensive, time consuming process that adds little value
ISPE White Paper - Risk Qualification for the 21st Century

• The PQ is generally where product quality is conferred and as

such the IQ/OQ phases are sub-ordinate.
ISPE White Paper - Risk Qualification for the 21st Century

• Application of PAT has potential to eliminate risk from processes

and reduce reliance on “validation” per se.
ISPE White Paper - Risk Qualification for the 21st Century

61

SP6429-2/96064-2 Ver 4.0 28

 96064/SP6429 - 2
Applying Risk Management

Change Control and Risk/Impact Assessment

Some Lessons Learnt
• Manufacturer of sterile saline changes the bottle
seal (initiated by purchasing) - alters the heat
penetration during autoclaving ….. Unsterile units
manufactured …….. leading to deaths.

• Manufacturer used a different granulation process

for sustained release tablet - particle size different
and tablet fast releases - causes uncontrolled rapid
release of active ….. Heart attacks result.

• Manufacturer substitutes an unapproved supplier of

herbal active material without notifying regulatory
agency ……. Results in defective (contaminated)
product and recall.
62

Compliance Management and Predictive Risk

Programs
• Move from “reactive” risk control to “predictive” approach

• Strategic way to manage compliance and quality

• Use gap analysis and risk rating to prioritise

• Develop a “Risk Committee” for compliance management

• Work on the issue before Regulator points them out

• Benefits are self evident !

63

SP6429-2/96064-2 Ver 4.0 29

 96064/SP6429 - 2
Applying Risk Management

Risk Based Supply Chain Management

• Trigger events:
– Glycerin / Diethylene glycol excipient contaminated
– OSCS contaminated Heparin (over 80 deaths)
– Melamine in milk products
– Lead paint in childrens toys

• FDA response:
– Wider inspection co-operation with EMEA and TGA for API plants
– FDA Globalisation Act 2008 (draft)
– FDA Initiative – Beyond our Borders
– Permanent overseas FDA Offices (China and India)
• Beijing, Shanghai and Guangzhou
• 8 FDA officials
64

Some other recent concerns

• Internet based mail drug imports approx. 10mill / month in USA …

estimated that many are counterfeited

• Asbestos in talc powder – Sth Korea 1200 products recalled

• Heparin OSCS issue re-surfaced in Ireland March 09

• Major Generic firm - stability data integrity (in dispute)

65

SP6429-2/96064-2 Ver 4.0 30

 96064/SP6429 - 2
Applying Risk Management

Applying Risk Management to the Supply

Chain

Vendors – APIs and FDF Post Marketing GDP

Excipients Manufacturers & Vigilance

• cGMP – Annex 8 • cGMPs – Ch 1 and • EU / TGA VOL 9a

Annex 15 / 20 Pharmacovigilance Risk Mgt
• cGMP Chapter 7
• ICH Q9 / ICH Q10 • ICH Q9 (Risk Mgt.)
• ICH Q7 (Actives)
• MHRA Risk based • Product review (GMPs Ch 1)
• ICH Q9 (Risk Mgt.) compliance reports
• PS 9100 (Excipients) • EMEA/192632/2006
– EU Risk Mgt Plan
• FDA Good Importers
Guidance (draft)

• FDA RiskMap

66

Possible Supply Chain Risk Factors

5. Parenteral/ Sterile / Biotech
4. Rx
Patient Risk
Factor 3. OTC
2. Complementary
1. Excipient (???)
5. Known poor quality
Supplier Quality 4. Unknown history / New vendor
History 3. Known quality – OK
2. >10 batches, all OK
1. Long good supply history

5. No site assessment
Supplier Profile 4. No International GMP licenses
and Rating 3. International GMP audits
2. QA reviewed
1. QA vendor audited >1 cycle
67

SP6429-2/96064-2 Ver 4.0 31

 96064/SP6429 - 2
Applying Risk Management

Supply Risks – where to input resources ?

History x Profile
1-5 6 - 10 11 - 15 16 - 20 21 - 25
5
Patient Risk / Severity

68

Risk Analysis Workshop

(Classifying problems using a structured approach)

• The equipment sterilising autoclave is non-GMP in that it does not have a

pre-vac cycle. Product transfer tubing and sterilising filters are sterilised in
the autoclave.

• The large fermentation tank lost positive pressure for 10 minutes during a
fermentation run - due to a loose flange. (Positive pressure is used to
provide a barrier to potential environmental contamination)

• The company had not qualified (IQ/OQ) existing equipment (tablet machine
and blister packer). The equipment has been in use for over 4 years.

• A customer compliant was received with a lack of an expiry date on the

container. It was identified that there was a problem with printing for
approximately 10 container out of a packaging run of 100,000.

• The manufacturer of oral vitamins (only) does visual inspection for

equipment cleanliness and has no cleaning validation program.

69

SP6429-2/96064-2 Ver 4.0 32

 96064/SP6429 - 2
Applying Risk Management

A few final words

• Be careful not to strictly apply a quantitative approach to risk

analysis … qualitative assessment have merit.

• Include experts with experience to “validate” risk positions

• Risk Assessment is a tool not a decision maker per se.

• Do NOT use risk tools “in reverse” ie. start with a presumed
outcome then grade the risk according to what you want the
outcome to be.

• Formalise your risk approach and train managers. Consider using

software to manage risk programs

70

© Copyright of Material

• Please remember that teaching materials and resources provided to

you at UTS are protected by copyright to SeerPharma Pty Ltd. You
are not permitted to re-use those for commercial purposes (including
in kind benefit or gain) without permission of the copyright owner.
Improper or illegal use of teaching materials may lead to prosecution
for copyright infringement. For further information on UTS copyright
for students and researchers see http://www.lib.uts.edu.au/about-
us/policies-guidelines/copyright-and-uts/copyright-students-and-
researchers

71

SP6429-2/96064-2 Ver 4.0 33